Sensor based system and method for premises safety and operational profiling based on drift analysis

ABSTRACT

A system includes plural sensor devices installed at a premises and a server computer coupled to a network and in communication with a gateway, which receives a risk profile for a physical premises, collect sensor information from the plural sensor devices and receives data feeds relevant to a location of the physical premises and execute one or more learning models to continually analyze the collected sensor information and data feeds to produce operational decisions based on the sensor information and data feeds to predict changes to risk profiles based on the continual analysis of sensor information and which determines responses to new risk profiles that are produced. The system also includes an engine for monitoring the sensor devices to recognize occurrences of events, and ask, through an interface to a human for additional information to confirm an occurrence of one or more of the events.

CLAIM OF PRIORITY

This application claims priority under 35 U.S.C. § 119(e) to provisionalU.S. Patent Application 62/318,291, filed on Apr. 5, 2016, entitled:“Sensor Based System And Method For Premises Safety And OperationalProfiling Based On Drift Analysis” the entire contents of which isincorporated herein by reference.

BACKGROUND

This description relates to operation of sensor networks such as thoseused for security, intrusion and alarm systems installed on industrialor commercial or residential premises.

It is common for businesses to have various types of systems such asintrusion detection, fire detection and surveillance systems fordetecting various alarm conditions at their premises and signaling theconditions to a monitoring station or authorized users. Other systemsthat are commonly found in businesses are access control systems havecard readers and access controllers to control access, e.g., open orunlock doors, etc. These systems use various types of sensor devicessuch as motion detectors, cameras, and proximity sensor devices,thermal, optical, vibration sensor devices and so forth.

SUMMARY

Companies develop, deploy, monitor and service various types of suchequipment for controlling access to and for protecting physicalpremises, such as buildings and other physical areas, such as storageyards, etc. Equipment employed include fire protection products,intrusion products, video surveillance products, access controlproducts, etc. Those products typically are accessed via a dedicatedpanel that resides in the building or via a remote application such ason a mobile device.

According to an aspect, a computer program product tangibly stored on acomputer readable hardware storage device, the computer program productfor detecting conditions at a physical premises, the computer programproduct comprising instructions to cause a processor to receive a riskprofile for a physical premises, collect sensor information from pluralsensor devices deployed in the premises, with the sensor devicesconfigured with an identity of the premises and physical objects beingmonitored by the sensor devices in the identified premises, receive datafeeds relevant to a location of the physical premises, execute one ormore learning models to continually analyze the collected sensorinformation and data feeds to produce operational decisions based on thesensor information and data feeds, predict changes to the risk profilebased on the continual analysis of sensor information, determine a newrisk profile for the physical premises based on the predicted changes,determine responses to the new risk profile, retrieve a group ofpremises that contains a listing of premises with a determined affinityin shared characteristics among the premises, and determine whether tosend the determined responses to systems associated with the premiseslisted in the retrieved group of premises according to the determinedaffinity.

Additional aspects include systems and methods.

Additional features of the computer program product, systems and methodsmay include other features and have advantages disclosed herein.

The details of one or more embodiments of the invention are set forth inthe accompanying drawings and the description below. Other features,objects, and advantages of the invention is apparent from thedescription and drawings, and from the claims.

DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic diagram of an exemplary networked security system.

FIG. 2 is a block diagram of a generic, typical sensor that includescomputer processing capabilities.

FIG. 3 is a block diagram of a system architecture for a sensor-baseddynamic risk event prioritization and recommendation system.

FIG. 4 is a block diagram showing details of the recommendation systemof FIG. 3.

FIGS. 5, 5A and 6 are flow diagrams depicting functional aspects of thesystem of FIG. 4.

FIG. 7 is a flow diagram of a process to determine a critical decision.

FIG. 8 is flow diagram of affinity processing.

FIG. 9 is a diagram depicting details of NLP processing.

DETAILED DESCRIPTION

Described herein are surveillance/intrusion/fire/access systems that arewirelessly connected or to a variety of sensor devices. In someinstances, those systems maybe wired to sensor devices. Examples ofdetector/sensor devices (sensor/detector being used interchangeablyherein) include sensor devices that detect/sense generalphysical/chemical/biological conditions. Examples of detector/sensordevices include motion detectors, glass break detectors, noxious gassensor devices, smoke/fire detectors, contact/proximity switches, videosensor devices such as cameras, audio sensor devices such as microphonesand directional microphones, temperature sensor devices such as infraredsensor devices, vibration sensor devices, air movement/pressure sensordevices, chemical/electro-chemical sensor devices, e.g., VOC (volatileorganic compound) detectors, etc. In some instances, those systems mayhave sensor devices that are weight sensor devices, LIDAR (technologythat measures distance by illuminating a target with a laser andanalyzing the reflected light), GPS (global positioning system)receivers, optical, biometric sensor devices, e.g., retina scan sensordevices, EGG/Heartbeat sensor devices in wearable computing garments,network hotspots and other network devices, and others.

More specifically, at least some of the sensor devices that are deployedare of a type whose operation can be modified during specific events orconditions. In addition, processing can also combine certain sensortypes referred to above to provide various complex results. Thus,combining sensor types such as video surveillance, Bluetooth® or othernear field beacon detection, access control, fire detection, weapondetection, license plate recognition, facial recognition, gunshotrecognition, aggravated event sound detection, automated sound recordingby employee phones in the event of an emergency, etc., can result inoccupancy/presence detection, of specific individuals.

Some sensor devices are configured to monitor the status of other sensordevices. For example, a sensor device could monitor the status of videosurveillance cameras so that a cloud application (discussed below) isimmediately informed when one or more sensor devices, e.g., the videosurveillance camera malfunctions. Upon processing in the cloudapplication (discussed below), the cloud application produces anoperational decision that is to immediately generate a message to adesignated system/device to dispatch a security maintenance provider toservice the affected malfunctioning sensor.

Referring now to FIG. 1, an exemplary (global) distributed networkedarrangement 10 for surveillance/intrusion/fire/access systems usingwirelessly deployed sensor devices (generally 20) is shown. In FIG. 1,the wireless distributed networked arrangement 10 is logically dividedinto a set of tiers or hierarchical levels 12 a-12 c. Thesurveillance/intrusion/fire/access systems employ these wireless sensornetworks (not numbered) and wireless devices 20, with remote,cloud-based server monitoring and report generation via level 12 a. Asdescribed in more detail below, the wireless sensor networks providewireless links (illustrated but not numbered) between sensor devices andservers via the second level 12 b, with the wireless links usually usedfor the lowest level connections (e.g., sensor node devices tohub/gateway connections).

In an upper tier or hierarchical level 12 a of the network are disposedservers and/or virtual servers 14 running a “cloud computing” paradigmthat are networked together using well-established networking technologysuch as Internet protocols or which can be private networks that usenone or only part of the Internet. Applications that run on thoseservers 14 communicate using various protocols such as for Web Internetnetworks XML/SOAP, RESTful web service, and other application layertechnologies such as HTTP and ATOM. The distributed network 10 hasdirect links between devices (nodes) as shown and discussed below. Inone implementation, hierarchical level 12 a includes a centralmonitoring station 49 comprised of one or more of the server computers14 and which includes or receives information from a sensor based stateprediction system 50 as will be described below.

The distributed networked arrangement 10 includes a second logicallydivided tier or hierarchical level 12 b, referred to here as a middletier that involves gateways 16 located at central, convenient placesinside individual buildings and structures. These gateways 16communicate with servers 14 in the upper tier whether the servers arestand-alone dedicated servers and/or cloud based servers running cloudapplications using web programming techniques. The middle tier gateways16 are also shown with both local area network 17 a (e.g., Ethernet or802.11) and cellular network interfaces 17 b. The distributed networkedarrangement 10 also includes a lower tier (edge layer) 12 c set ofdevices that involve fully-functional sensor nodes 18 (e.g., sensornodes that include wireless devices, e.g., transceivers or at leasttransmitters, which in FIG. 1 are marked in with an “F”), as well aswireless sensor nodes or sensor end-nodes 20 (marked in the FIG. 1 with“C”). In some embodiments, wired sensor devices (not shown) can beincluded in aspects of the distributed networked arrangement 10.

In the lower tier 12 c (wirelessly-connected tier) are the sensordevices 20 that provide specific sensor functions. At least some ofthese sensor devices 20 have a processor and memory, and may be batteryoperated and include a wireless network card. Others may be wireddirectly into the middle tier or to other nodes in the lower tier. Theedge devices generally form a single wireless network in which eachend-node communicates directly with its parent node in ahub-and-spoke-style architecture. The parent node may be, e.g., anetwork access point (not to be confused with an access control deviceor system) on a gateway or a sub-coordinator which is, in turn isconnected to the access point or another sub-coordinator.

In a typical implementation, the edge (wirelessly-connected) tier 12 cof the distributed networked arrangement 10 is largely comprised ofdevices with specific functions. These devices have a small-to-moderateamount of processing power and memory, and often are battery powered,thus requiring that they conserve energy by spending much of their timein sleep mode. A typical model is one where the edge devices generallyform a single wireless network in which each end-node communicatesdirectly with its parent node in a hub-and-spoke-style architecture. Theparent node may be, e.g., an access point on a gateway or asub-coordinator which is, in turn, connected to the access point oranother sub-coordinator.

Each gateway is equipped with an access point (fully functional sensornode or “F” sensor node) that is physically attached to that accesspoint and that provides a wireless connection point to other nodes inthe wireless network. The links (illustrated by lines not numbered)shown in FIG. 1 represent direct (single-hop MAC layer) connectionsbetween devices. A formal networking layer (that functions in each ofthe three tiers shown in FIG. 1) uses a series of these direct linkstogether with routing devices to send messages (fragmented ornon-fragmented) from one device to another over the network.

In some instances, the sensor devices 20 are sensor packs (discussedbelow), which are configured for a particular types of businessapplications, whereas in other implementations the sensor devices arefound in installed systems such as the example security systemsdiscussed below.

Referring to FIG. 2, a typical configuration for a sensor device 20 isshown. Sensor device 20 includes a processor device 21 a, e.g., a CPUand or other type of controller device that executes under an operatingsystem, generally with 8-bit or 16-bit logic, rather than the 32 and64-bit logic used by high-end computers and microprocessors. The device20 has a relatively small flash/persistent store 21 b and volatilememory 21 c in comparison with other the computing devices on thenetwork. Generally, the persistent store 21 b is about a megabyte ofstorage or less and volatile memory 21 c is about several kilobytes ofRAM memory or less. The device 20 has a network interface card 21 d thatinterfaces the device 20 to the network 10. Typically, a wirelessinterface card is used, but in some instances a wired interface could beused. Alternatively, a transceiver chip driven by a wireless networkprotocol stack (e.g., 802.15.4/6LoWPAN) can be used as the (wireless)network interface. These components are coupled together via a busstructure. The device 20 also includes a sensor element 22 and a sensorinterface 22 a that interfaces to the processor 21 a. Sensor 22 can beany type of sensor types mentioned above. As understood, the sensorelement 22 is the physical structure or device that actually senses theactual physical/chemical/biological condition. The notion of a sensorelement could include rather simple devices such as a contact switch ormore complex devices such as a camera with optics and light sensorarrays, as well as certain processing functions. Thus, it is notnecessary to demarcate an exact line between the sensor element andother parts of the sensor device.

In some implementations, a pre-set suite of fixed/mobile sensor packs(discussed below) are used. These pre-set suite(s) of fixed/mobilesensor packs are especially selected for particular applicationsaccording to processing that is discussed below. In any event, eitherindividual sensor devices conventionally deployed throughout a premisesor one or more pre-set suite of fixed/mobile sensor packs are used.

Applications of a security system can be an intrusion detection systemand access control system installed at a premises (not shown). Thepremises could be a commercial premises, but may alternatively be anytype of premises or building, e.g., industrial, residential, etc. Theintrusion detection system could include an intrusion detection paneland would include the sensor devices/detectors 20 (FIGS. 1, 2) disbursedthroughout the premises that would be in communication with the paneland the central monitoring station 49 (also referred to as centralmonitoring center) via communication networks, such as the Internet, asdiscussed above or a phone system or cellular communication system beingexamples of others. An exemplary intrusion detection panel 38 includes aprocessor and memory, storage, a key pad and a network interface card(NIC) coupled via a bus (all not shown).

The sensor/detector devices may be hard wired or communicate with theintrusion detection panel wirelessly. Some or all of sensor/detectors 20communicate wireless with the intrusion detection panel and with thegateways. In general, detectors sense glass breakage, motion, gas leaks,fire, and/or breach of an entry point, and send the sensed informationto the intrusion detection panel. Based on the information received fromthe detectors 20, the intrusion detection panel determines whether totrigger alarms and/or sending alarm messages to the monitoring station.A user may access the intrusion detection panel to control the intrusiondetection system, e.g., disarm, arm, enter predetermined settings, etc.

A dispatch center that in this example is part of the central monitoringstation 49 includes personnel stations (not shown), server(s) systems 14running a program that populates a database (not shown) with historicaldata. The central monitoring station 49 also includes the sensor basedstate prediction system 50.

Applications of a security system can be an access control systeminstalled in premises, and which would include access controller cardreaders, door locks (all not shown) controlled by the access controller.

Referring now to FIG. 3, a system architecture for a sensor-baseddynamic risk event prioritization and recommendation system 40(recommendation system 40) is shown. The recommendation system 40 canoperate with either a cloud-based set of servers (e.g., servers 14, asshown) or non-cloud based, centrally located servers. The recommendationsystem 40 executes application(s) 42 that receive sensor data from alarge plurality of different premises, some of which may be related insome manner to each other. The sensor data are stored in a persistentdatabase 44.

The recommendation system 40 also includes a recommendation engine 46that receives information from information feeds, generally 48. Theinformation feeds 48 can include public information feeds such as news,weather reports, traffic reports, law enforcement, government, as wellas other sources of data including private data sources such as employeedata from a human resources database associated with employees at aparticular premises, and location data from systems that track locationsof key personnel (for example, but not limited to, company executives)and various public social media data feeds relating to social media,etc. The data from the information feeds 48 can be stored in ainformation database (not shown).

The application(s) 42 uses data collection and storage subsystems forgathering data that will be used by the recommendation engine 46. Thecollected data (sensor data from sensor database store 44 and publicinformation data from the feeds 48, etc.) are analyzed using machinelearning algorithms. Certain data are tagged or labeled by the system 40as the data are received or as a post processing step. The large storagesystem (sensor database 44 and information database) used to store thedata is preferably cloud based and could be part of the first tier 12 adiscussed above.

The recommendation engine 46 retrieves the collected data and performsthe designated analysis to generate dynamically updated risk profilesand operational decisions. Those risk profiles and recommendedoperational decisions are transmitted to local systems 50 at affected,local premises (not shown) and/or mobile systems/devices 52, so thatlocal decisions can be made with respect to the updated risk profilesand suggest operational decisions.

Referring now to FIG. 4, a detailed view of aspects of therecommendation system 40 of FIG. 3 is shown. In this view, therecommendation system 40 is shown to include one or more interfaces 62to capture on a continuous basis input data from sensor devices, feeds,etc. These data are fed directly or as shown through an eventconditioner filter 64 to filter out redundant data before being storedfeed data storage 66 or sensor data storage 44 (collectively storage67). The event conditioner filter 64 receives data from and sends datato a dynamic risk event prioritization engine 68. The dynamic risk eventprioritization engine 68 sends dynamically prioritized risk event datato a machine learning engine 70 that executes machine learningalgorithms. The dynamic risk event prioritization engine 68 and themachine learning engine 70 algorithms feed alert, subscription,notification management engines (collectively 72) and a critical alertengagement engine 74. The notification engine portion of the engine 72feeds customer information to customer systems/devices 76.

The detailed view of aspects of the system architecture of FIG. 5 alsoshows a user portal 80. The user portal 80 is a set of applications, forinstance web based applications, which allows customers associated withthe premises and/or assets within a premises to subscribe to theservice, to receive notifications, and to assign an initial risk ratingto each premises and/or assets, as determined by the customers.

The risk assignments by the customers are based on each customers' ownbusiness rules and are used to generate multifactor risk profiles thatare assigned to all assets in a customer's premises. The customersuggests business rules and the system implements these business rulesthat are assigned to assets, as reflected by the dotted lines from theuser portal 80 to the event condition filter 64, dynamic prioritizationengine 70 and machine learning engine 68, as well as the alert,subscription and notification manager 72. Dotted lines from the userportal 80 to the event condition filter 64, dynamic prioritizationengine 70 and machine learning engine 68, as well as the alert,subscription and notification manager 72 are used to indicate networkpaths for messages from user systems (not shown) with the messages (notshown) providing influences to the respective engines through thecustomer suggested business rules, rather than the system directlyreceiving and implementing these business rules. The customer's businessrules can take into consideration various items, such as activitiesperformed in a specific premises, the level and type of people presentin that specific premises, the types of materials/products/items storedin that specific premises, etc.

In addition to risk profiles there are events that affect the safety or“riskiness” of the asset. An initial risk level profile systemarchitecture uses the cloud based set of servers 14 or centrally locatedservers to execute the machine learning algorithms. These machinelearning algorithms can be of various types including supervised andunsupervised algorithms that receive the sensor data from premises andpublic information feeds and from that data makes decisions, especiallysecurity related decisions for a particular premises or a set ofpremises.

Referring now to FIG. 5, machine learning processing 90 for the systemis shown. This processing 90 includes training processing 92 and modelbuilding processing 94, which can be an iterative process as shown byloop 96. The machine learning processing 90 is used in operation of thesensor based state prediction system 40.

Referring now to FIG. 5A, in general, the recommendation system 40builds risk profiles. The recommendation system 40 receives 102 a riskprofile for a physical premises, processes 104 collected sensorinformation from plural sensor devices deployed in the premises and withphysical objects being monitored by the sensor devices in the premisestogether with received real-time data feeds relevant to the geographiclocation of the physical premises. The recommendation system 40 executesone or more learning models (FIG. 5) that continually analyzes thecollected sensor information and data feeds to produce operationaldecisions based on the sensor information and data feeds.

The system in response predicts changes to the risk profile based on thecontinual analysis of sensor information and determines a new riskprofile for the physical premises based on the predicted changes. Fromthe new determined risk profile, the system determines responsesappropriate for the new risk profile, produces response messages basedon the determined responses and sends the generated response messages toa system/device.

Referring now to FIG. 6, aspects of the risk profile processing 110 onthe system of FIG. 3 (and FIG. 4) is shown. The training processingtrains the recommendation engine 40 by accessing 112 an initial profilefor a specific premises, processing 114 sensor data from that premisesand processing the sensor data by the machine learning algorithms, todetect 116 any effects (changes) on the initial profile.

The risk profile processing 110 detects changes in the processed sensordata and feed data and compares 118 to the initial profile and evaluates120 the changes. The risk profile processing 110 also in addition todetecting changes, predicts changes to a risk level in the risk profilebased on the detected changes in the sensor data, as well as, changes inexternal data. For example, the risk profile processing 110 receivesreal time weather data from an external service and monitors that dataas well as predicted weather patterns. Based on these predictions and/orthe sensor data, the risk profile processing 110 may raise the risklevel in the risk profile based on a prediction of an event, rather thanan actual change in the weather. That is, the risk profile is updated122 based on an expected change rather than an actual change.

Another example is where there is crime spree in an area against assetsthat are similar to assets being protected by this system. In that case,the system receives real time new reporting data, and the systemevaluates the data against sensor data, etc. and may raise the riskrating in anticipation of the crime spree spreading to the locationprotected by the system. Therefore “changes” to the risk level can bethe result of monitored changes to sensor data, but also can be based on“predicted” or “anticipated changes” based on external data and/orsensor data.

Referring now to FIG. 7, additional aspects of the risk profileprocessing 110 on the system of FIG. 3 (and FIG. 4) are shown. Asdescribed above, the risk profile processing 110 detects changes in theprocessed sensor data and feed data and compares those changes to theinitial profile and evaluates the degree of change. The evaluation ofthe degree of change can be used as a threshold to determine whetherchanges can be or should be made to a profile. Typically, a user throughthe portal could set a threshold or the system could have defaultthreshold changes for each of several parameters. For example, certainparameters can be based on probabilities. For those parameters, apercent change in a range of 1% to 10% for increasing a probability ofan event may not be considered significant, whereas a percent change ina range of 10-15% for increasing a probability of an event may beconsidered significant and percent changes beyond 15% for increasing aprobability of an event could be considered very significant.

From the risk processing 110, the system 40 extracts 130 changes (eitherall or just those that are deemed of significance) generates 132 a listof most probable decisions according to the business rules of thecustomer and the extracted changes. In some implementations where themachine learning algorithms are unsupervised, the process eithermanually or automatically labels these detected changes. In otherimplementations, where the machine learning algorithms are supervised,the process 110 uses these labels supplied with the data to label thesedetected changes. From the extracted changes, the system determines,when there is a difference whether something unusual has happened in thepremises being monitored or whether a normal condition of the premisesbeing monitored is present. With this information the system labels thechanges as “no action” or “action” transitions. Either the system ormanual intervention is used to label either at the system level or theunderlying sensor level.

In some embodiments, the system applies unsupervised algorithm learningmodels to analyze historical and current sensor data records from one ormore customer premises and generates a model that can predict patterns,anomalies, conditions and events over a time frame that can be expectedfor a customer premises or for a related premises. The sensor basedstate prediction system 40 produces a list of one or more predicteddecisions that may result in on or more alerts being sent to one moreuser devices as well as other computing system. The prediction system 40uses various types of unsupervised machine learning models includingLinear/Non-Linear Models, Ensemble methods etc.

In either event, the risk processing 110 prioritizes 134 the generatedlist of most probable decisions according to the business rules of thecustomer and determines 136 if the decision is critical decision. In theevent it is not a critical decision, e.g., according to the customerbusiness rules or other rules, e.g., system default rules, the riskprocessing 110 can loop. In other situations, where the machine learningalgorithms process a critical decision from these detected changes, thesystem determines 138 the suitable alert, e.g., from the business rules,determines the contact and message, etc. The system sends 140 thedetermined message as an alert and stores 142 the alert and loops.

Referring to FIG. 8, while the risk processing 110 processes data fromvarious sensor devices deployed at a specific premises to provide thedata on which the risk profile changes and operational decisions forthat premises are based.

Another aspect includes group-based risking profiling processing 170 forproducing a risk profile and an evaluation of risk to provideoperational decisions that can be applied across a grouping of similarsituated premises. Applying a produced risk profile and an evaluation ofrisk with respect to operational decisions is based on determinationsmade with respect to a non-empty subset that has at least one and mayhave more than one but not all of the premises in the group. The systemexecuting a group based risk profile processing 170 forms 172 pluralgroups of premises into risk groupings. Each risk grouping will containpremises grouped according to shared characteristics among the premises.For a given risk grouping, the risk profiles of those premises can betreated as a group for certain risk profile changes and operationaldecisions.

The risk groups are formed by examining various grouping criteria.Criteria include geographic proximity, similarity with respect to typeof premises, e.g., activities carried on in the premises that are thesame or similar, similarity with respect to types of operationaldecisions that would be potentially encountered, similarity with respectto types of sensor devices deployed and similarity with respect tocommonality of interests, e.g., ownership or affiliation or othercriteria. Any criterion can be used provided that criterion has abearing on predicting of changes in risk profiles.

Several techniques could be used to form risk groupings. For example,the risk profile processing 170 executes the forming process 172 bycomputing a Euclidean distance between premises (P) using criteriavectors that represent various criteria attributable to each givenpremises. The risk profile processing 170 measures the distances betweenvectors, using differences between the square roots of the sum of thesquares of the values of a vector. From the distances, clusters (C) ofpremises (P) are thus provided, and by using any clustering techniquethe clusters (C) of premises (P) are grouped together based on thecalculated distances. From the formed clusters of vectors V based on theEuclidean distance these clusters are used to segment 83 the entities.

A typical format for a vector is shown below

Premises ID Criterion 1 Criterion 2 ***   Criterion n

Also shown below is a typical vector having values

ID value Value Value   *** value

Some criterion can be represented directly as numeric values, whereasothers are text values that need to be normalized to numeric values. Forinstance, presume that criteria 2 is an ownership field, the groupingprocess can perform a look up of various entities according to ahierarchical structure that stores entity relationships andaffiliations. For example, given a Premises 1, assume that the ownershipis “XYZ corp.” that is assigned a numeric value “125.0.” That value ispopulated in the element of Criterion 2 for a first vector forPremises 1. Next, assume a Premises 23 has an ownership of XWQ corp,which in an access to the hierarchical structure, shows that XWQ corp,is a subsidiary of XYZ corp., with a value of “125.1.” The process 172could chose to ignore this or use it by placing the value into Criterion2 for a second vector for Premises 23. Conversely, assume that aPremises 54 has an ownership of AWD corp. with no relationshipwhatsoever to either XWQ corp, or XYZ corp. In that instance thedistance could be computed ignoring the Criterion 2 field. In anotherexample, a Premises 78 has the same ownership “XYZ corp.” as XYZ corp.The vector for Premises 78 would have the numeric value “125.0” in theCriterion 2 field. Other arrangements are possible, such as representingnon-numeric values, e.g., “ownership” as classes and only the sameclasses of vectors could be grouped together.

In any event, clustering uses these vectors as “points” in anN-dimensional space and the clustering determines whether a point Pi isclose to another point Pi+1 of the same class (which could be anotherway to deal with ownership and other non-numeric values), by determiningthe distance between those points as X=Pi+1−Pi+1 in the N-dimensionalspace and comparing the distance X to a threshold value T (calculated orempirical). Clustering determines the distance X between all points, andgroups them into the clusters (groups) provided that the distance Xbetween any two points is less than or equal to the threshold value T.Clustering determines the distance X between a point Pi+1 and any pointin each existing cluster, compares that distance X to the threshold Tand determines whether the point Pi+1 belongs in the existing cluster ora new cluster and does this for all points.

Optionally, for a very large group (with a potential loss of resolution)if a sufficient number of entities were clustered into a sufficientnumber of groups a centroid is determined for each cluster. Finding acentroid involves finding a point that best represents the cluster,e.g., is at the center of the cluster or which is clustered around thepredominant number of points in the cluster. Thus, the clusteringalgorithm group points into clusters and from the cluster a centroid isfound that is used to represent the points and all possible furtherpoints in the cluster. The centroid “D,” is the point P in N-dimensionalspace, which along with a determined tolerance, variance or standarddeviation represents that particular cluster. The centroid D is thatpoint in the cluster (either calculated or an actual point) that is atthe center of all of the points in the cluster. The centroid point D,along with the determined tolerance, variance or standard deviation andthe identification of the class corresponding to the cluster is storedin a database. Thereafter the centroid along with the tolerance could beused to segment new entities or other entities from the very largegroup.

The risk profile processing 110 discussed in FIGS. 6 and 7 is conducted174 for one of or for each one of the premises in the non-empty subsetof premises in a given group. According to how the given group wasformed, for instance criteria used, and e.g., similarity with respect totypes of sensor devices deployed was not a criteria considered in thegrouping, any operations decisions made for the premises in thenon-empty subset of premises in the given group can be communicated toother premises in the group. The group based risk profile processing170, retrieves the group that premises belongs to 176, and determineswhether any of the operational decisions or other results can be appliedto other members of group 178. If yes, it retrieves the premises ID 180,sends 182 alerts or other results to the premises and stores 184 thealert.

All of the premises in the group thus will benefit from an overallnetwork effect, meaning that some of these other premises can have afull host of sensor devices deployed, such as the first one of thepremises, while other premises, such as a second premises, denoted as aspecific premises of interest may have only a few of sensor devices of acertain type, deployed or does not have any sensor devices at alldeployed.

In other situations, the given group could have been formed using as acriterion grouping according to similarity with respect to types ofsensor devices deployed, and any operations decisions made for the firstsubset of premises can be communicated to other premises in the group.All of the premises in the group would also benefit from an overallnetwork effect according non-empty subset of premises in the givengroup.

The sensor data coming from the first premises in the group are used toinfluence the risk profile and operation decisions of the specificpremises of interest. In other words, analysis for each of the premisesin the group of premises can be provided from analysis of the collecteddata from the first premises, and this analysis can be used to effectdecision in the specific premises.

Thus, some of the criteria could be that the specific premises in thegroup is geographically close to the first premises and there is acommon interest among each of the premises in the group, such that eachis similarly affected by predicted risk assessments, such thatoperational decisions and risk profile changes can be made for theentire group based on the sensor devices at a subset of the specificpremises.

Another aspect is that the premises in a group could each have differenttypes of sensor devices deployed. Operational decisions for the entiregroup can be made by aggregating the sensor data from each of thepremises as long as there is a common interest among the premises. Forexample, some locations in the group could have intrusion detectionsystems while others have video surveillance systems. While the firstlocation is not recording any forced door alarms, the second locationmay detect intruders moving about the outside of the building.Accordingly, the risk profile of both locations could be raised andappropriate operational decisions made.

The trained recommendation engine generates the operational decisions.Operation of the system is similar to training but is in general, anon-going process.

The system includes a graphical user interface generator receives datafrom the recommendation engine and generates a graphical user interfacethat is rendered on a display device of a client system/device. Severaldifferent graphical user interfaces can be generated.

The system produces responses that are directives for actions, as aresult of changes to risk levels in a profile. For example, giving thetwo examples above, as the system detects changes in the risk level, thesystem access business rules to generate a response to the detectedchanges.

For example, when the system raises the risk level based on detectedchanges in real time weather data depending on the risk level change thesystem generates system control response messages that control othersystems. These system control response messages can be based on thesystem evaluating business rules with respect to protected premises.These actions can be control messages to systems that controlautomatically deployable storm shutters, e.g., for high winds, tosystems that prohibit parking on roof levels of parking garages foranticipated snow.

In the crime spree example, when the system raises the risk level basedon detected changes in real time news reporting data depending on therisk level change, the system generates system control response messagesthat control other systems. These system control response messages canbe based on the system evaluating business rules with respect toprotected premises. These system control response messages includeinstructions to perform designated actions by systems. Such systems canbe access control systems, systems that control automatically deployablegates, doors, etc. systems that control signs, etc. to secure a physicalpremises, e.g., a corporate facility to at a higher level of security.

Other responses can be action type responses, rather than systemscontrol responses. Action type responses generate action type responsemessages typically with instruction on how users should physicallyrespond to the event. For example, the response to certain changes inrisk level is changed based on the level of the risk profile. Forexample, forced door alarms are responded to in a more immediate waywhen an HR feed indicates that an executive is present in the buildingcompared to when there are no executives present. Another example is theway an intrusion alarm is responded to when a warehouse is full ofmerchandise compared to when the warehouse is empty. In this case sensordevices in the warehouse can detect the presence or absence ofmerchandise and feeds can provide information to the system to indicaterelative value of the merchandise.

In the exemplary use cases discussed below, either the system controlresponse message type or the action type messages (or both) aregenerated based on changes in the risk level. Typically, the systemcontrol response messages are control messages that are sent to devicesand/or systems that control equipment. Examples of such equipmentinclude automatically deployable gates, doors, electronic signs, etc. asmentioned above. Whereas, action type response messages are messageswith detailed instructions for user(s) on how to respond to an event andare typically sent to user devices, rather than systems that controlequipment. Of course given the type of event both types of messages canbe provided. The sever accesses a file that includes IP addresses fordevices and/or systems to which the various types of messages aredirected.

Exemplary Use Cases

Exemplary use cases include access control. Consider that an accesscontrol card is found/acquired by unauthorized user. The unauthorizeduser tries multiple doors in a company's facility, i.e., targetedpremises to find one that opens. Access control system data resultingfrom these attempts are sent to the cloud application that identifiesthe multiple unsuccessful access attempt by card reads from sensordevices on access card reader devices. The cloud application processesthese data and as a result determines a decision that is arecommendation to raise the risk profile of the targeted premises andother related premises that are located in a defined radius of thetargeted premises, and notifies building managers and securitypersonnel. The system also generates the operational decision to requiresecondary verification for all doors at both locations and initiatesemails to all authorized users whose cards are used to open doors toverify they were the ones using the card. Those actions are eitherautomatically initiated by the system or by local building managementpersonnel in response to notification from the system.

A second use case can involve a gunshot detector or a microphone withsoftware tuned to recognize gunshots. In this example gunshots aredetected through a smart phone application on a cell phone. The cellphone sends a signal to the monitoring center and the systemautomatically raises the risk level in a geo-fenced area based on thelocation of the gunshot. The system automatically sends alerts to lawenforcement.

Thus the system dynamically and in near real time or in real timeidentifies and produce macro security events. Using the same inputs andtechniques described above the system analyzes event patterns and sensordata patterns to expose macro security events that require immediateaction. For example, many door held open alarms that occur right afterseveral denied entry events may signal that an intruder has access to asecure area. Note that the dynamic risk capability described above isused to prioritize the macro event and to recommend the action thatshould be taken.

Conversely, as the system detects that events which elevated the risklevel have disappeared, the system generates system control responsemessage type or the action type messages (or both) to return a premisesto a normal state. The system would accomplish this return to the normalstate for a premises according to evaluation of business rules.

Various combinations of the above described processes are used toimplement the features described.

The recommendation system 40 of FIG. 4, including the eventprioritization and recommendation engine 68 (FIG. 4) can be implementedas a “virtual” system. In one implementation, the recommendation system40 would have in the event prioritization and recommendation engine 68 avirtual security control center (VSCC) provided by a AI engine.

Referring now to FIG. 9, an embodiment of a (VSCC) system is shown. TheVSCC 200 includes a NLP engine 210 an artificial intelligence (AI-based)engine, message queues 202, a preprocessing agent 204, event databases206, and interfaces 208 to a network of devices, and so forth. The VSCC200 is hosted on a server computer or distributed over multiple servercomputers, and thus minimizes need for human oversight and associatedphysical facilities, by reduced operations costs of a security controlcenter (SOC).

The above sub-systems or elements of the VSCC 200 to implement aspectsof the business rules for the recommendation engine 40 will be furtherdescribed. The message queue or set of integrated queues 202 storedata/messages from devices 1-n. The set of distributed devices (aregenerally located around the world) are capable of pushing sensorupdates and/or status notices (e.g., as a published web service) to themessage queue 202 or queues. The sub-systems or elements of the VCSS 200also include a parsing agent or set of agents that performpre-processing 204 of the messages in the message queue 202, and storesthe messages and results of the pre-processing in a database 206 (rawdata store) accessible by the AI agent 210.

For example, the VCSS 200 can use as a store a NoSQL database (a “nonSQL” or “non-relational” database that stores and retrieves of datausing a model other than tabular relations used in relational databases)with Extensible Markup Language (XML) or JavaScript Object Notation(JSON) tagged data items, and a database or “raw data store.”

In an embodiment of the NLP engine 210, the NLP engine 210 includes anNLP (natural language processing) agent 212 and components that compriseinternal agent architecture. The NLP engine 210 includes variousinternally managed data stores 216 that are structures to store data.The NLP engine 210 includes concept maps 214 to sensor devices and theircapabilities and ontologies 218. The AI engine 210 includes the NLPagent 212 as either the primary part of the AI engine or as ahuman-friendly interface to some other type of analytical engine toapply the rules 224 required to define and identify security breachevents based on stored or learned patterns and events.

The system uses the AI engine 210 for monitoring of a large number ofsensor devices and other security devices to recognize, with greatfidelity, the occurrence of real security breaches. The AI engineincludes a conversational module (semantic UI) 226 for facilitatinginteraction between a human expert and the NLP based AI engine to reviewevents and improve the rules applied by the agent to identify securitybreaches. Each NLP agent 212 can communicate using web-basedconversations among multiple ones of the NLP agents to mutually improvetheir collective set of breach identification rules.

Another sub-system or element of the VCSS 200 is a rule update andnotification web service to inform a collection of NLP agents regardingnew or updated rules (as in the case where, for example, the NLP agent212 and its human security expert overseers discover a new securitybreech type and the rule or rules by which it may be identified).

The NLP agent 212 is configured to determine anomalous events and ask,through an interface to a human for additional information to confirm asecurity breach. Since the engine understands the information providedby sensor devices in general, the engine can suggest additional sensordevices for situations where complete information is not provided byexisting infrastructure. The NLP agent 212 can determine whetherinsufficient data is present in order to render a result and thus formand send one or more queries other NLP agents or functions within abuilding for additional information. For instance, a video stream couldbe used to detect intrusion and the NLP agent 212 could query a dooraccess reader for the badge used to enter the space. The NLP agent 212may suggest additional rules based on various events that were notinitially programmed into the agent but which were discovered byexecution of unsupervised learning algorithms. The NLP agent 212 maysuggest that rules are incorrectly implemented. For instance, motiondetection could be triggered by a certain size object. However, the sizemay be so large that the detector is never triggered. The agent coulddetect the motion and realize that the rule may be incorrectly formed.The agent may suggest new rules based on information gathered an eventthat correlates to an existing rule and provides additional eventverification.

Security breaches are often difficult to detect, particularly in caseswhere sub-system input and output data is not “human readable.” Forexample, a sensor device of some type may give output data of a certaintype with a certain frequency at one time, and then later this typeand/or frequency may change. A human security expert tending the SOCwould not be able, in general, to detect this change by reviewing rawdata (being lost in the complexity and massive extent of the data). A“data crawler” or “scraper” engaged in automated review of the data andapplying a set of event recognition rules would be able to recognize thechange if in fact a rule or rules existed to identify the change.

For simple events (like a temperature exceeding a threshold, or a doorswitch going from closed to open while the alarm status is “armed”) therules are clear.

However, rules to detect security breaches are generally not obvioussince the change in operation of compromised devices may be very subtle.These rules are most likely to be discovered as a result of comparisonsof data patterns from healthy and compromised devices.

These comparisons may involve multiple tests suggested by human experts“in conversation with” the artificial intelligence agent. This makesNLP-based agents ideal for the iterative development of and applicationof event identification rules.

The system includes the open-ended training of the NLP agent 212 bywhich the agent 212 is told to monitor various web-based informationsources which deal with security breach identification. For example, theagent may be told of a website (or discover the website on its own,using standard web crawler technology) which periodically publishes newson certain types of wireless sensor network security failures. The NLPagent 212 may include news articles from this website in its generalmemory and use these as resources in answering questions of the humanexpert when the human agent and NLP agent 212 discuss security issuestogether in the development of new event recognition rules. Also, theNLP agent 212 may include analogy based inference logic (known to thoseskilled in the art of producing AI agents) which can be used by the NLPagent 212 to review news and autonomously hypothesize new rules (forlater verification and sanction by the human experts).

Much of the description of this embodiment has been simplified to avoidunnecessary complexity and confusion. For example, the simple messagequeue 202 would, in most real-world implementations, use a distributedcloud-oriented message queue 202 such as “Apache Kafka” an open-sourcemessage broker developed by the Apache Software Foundation. The databaseused by the NLP agent 212 would probably be a commercial version of aNoSQL database such as Cassandra (Apache) or Mongo (a cross-platformdocument-oriented database by MongoDB Inc.) or Hadoop (Apache). The NLPagent 212 may in some embodiments have control over the behavior of thepre-processor agent. That is, the NLP agent 212 may decide what formatdata may take in the raw data store, so as to facilitate the use of theraw data store by the NLP agent.

Not shown in the figure are the details of the reporting chain that theNLP agent 212 uses to publish the occurrence of a security breech whenone has been identified. Also not shown in the figure is an embodimentwhere a special analytics engine or agent is interposed between the NLPagent 212 and the raw data store. In this case the analytics engineapplies the rules used to recognize events. Otherwise (i.e., when theanalytics engine is not present), this function is internal to the NLPagent.

Servers interface to the sensor based state prediction system 50 via acloud computing configuration and parts of some networks can be run assub-nets. In some embodiments, the sensor devices provide in addition tosensor data, detailed additional information that can be used inprocessing of sensor data evaluate. For example, a motion detector couldbe configured to analyze the heat signature of a warm body moving in aroom to determine if the body is that of a human or a pet. Results ofthat analysis would be a message or data that conveys information aboutthe body detected. Various sensor devices thus are used to sense sound,motion, vibration, pressure, heat, images, and so forth, in anappropriate combination to detect a true or verified alarm condition atthe intrusion detection panel.

Recognition software can be used to discriminate between objects thatare a human and objects that are an animal; further facial recognitionsoftware can be built into video cameras and used to verify that theperimeter intrusion was the result of a recognized, authorizedindividual. Such video cameras would comprise a processor and memory andthe recognition software to process inputs (captured images) by thecamera and produce the metadata to convey information regardingrecognition or lack of recognition of an individual captured by thevideo camera. The processing could also alternatively or in additioninclude information regarding characteristic of the individual in thearea captured/monitored by the video camera. Thus, depending on thecircumstances, the information would be either metadata received fromenhanced motion detectors and video cameras that performed enhancedanalysis on inputs to the sensor that gives characteristics of theperimeter intrusion or a metadata resulting from very complex processingthat seeks to establish recognition of the object.

Sensor devices can integrate multiple sensor devices to generate morecomplex outputs so that the intrusion detection panel can utilize itsprocessing capabilities to execute algorithms that analyze theenvironment by building virtual images or signatures of the environmentto make an intelligent decision about the validity of a breach.

Memory stores program instructions and data used by the processor of theintrusion detection panel. The memory may be a suitable combination ofrandom access memory and read-only memory, and may host suitable programinstructions (e.g. firmware or operating software), and configurationand operating data and may be organized as a file system or otherwise.The stored program instruction may include one or more authenticationprocesses for authenticating one or more users. The program instructionsstored in the memory of the panel may further store software componentsallowing network communications and establishment of connections to thedata network. The software components may, for example, include aninternet protocol (IP) stack, as well as driver components for thevarious interfaces. Other software components suitable for establishinga connection and communicating across network will be apparent to thoseof ordinary skill.

Program instructions stored in the memory, along with configuration datamay control overall operation of the system. Servers include one or moreprocessing devices (e.g., microprocessors), a network interface and amemory (all not illustrated). Servers may physically take the form of arack mounted card and may be in communication with one or more operatorterminals (not shown). An example monitoring server is a SURGARD™SG-System III Virtual, or similar system.

The processor may include, or be in communication with, the memory thatstores processor executable instructions controlling the overalloperation of the monitoring server. Suitable software enable eachmonitoring server to receive alarms and cause appropriate actions tooccur. Software may include a suitable Internet protocol (IP) stack andapplications/clients.

Each monitoring server of the central monitoring station may beassociated with an IP address and port(s) by which it communicates withthe control panels and/or the user devices to handle alarm events, etc.The monitoring server address may be static, and thus always identify aparticular one of monitoring server to the intrusion detection panels.Alternatively, dynamic addresses could be used, and associated withstatic domain names, resolved through a domain name service.

The network interface card interfaces with the network to receiveincoming signals, and may for example take the form of an Ethernetnetwork interface card (NIC). The servers may be computers,thin-clients, or the like, to which received data representative of analarm event is passed for handling by human operators. The monitoringstation may further include, or have access to, a subscriber databasethat includes a database under control of a database engine. Thedatabase may contain entries corresponding to the various subscriberdevices/processes to panels like the panel that are serviced by themonitoring station.

All or part of the processes described herein and their variousmodifications (hereinafter referred to as “the processes”) can beimplemented, at least in part, via a computer program product, i.e., acomputer program tangibly embodied in one or more tangible, physicalhardware storage devices that are computer and/or machine-readablestorage devices for execution by, or to control the operation of, dataprocessing apparatus, e.g., a programmable processor, a computer, ormultiple computers. A computer program can be written in any form ofprogramming language, including compiled or interpreted languages, andit can be deployed in any form, including as a stand-alone program or asa module, component, subroutine, or other unit suitable for use in acomputing environment. A computer program can be deployed to be executedon one computer or on multiple computers at one site or distributedacross multiple sites and interconnected by a network.

Actions associated with implementing the processes can be performed byone or more programmable processors executing one or more computerprograms to perform the functions of the calibration process. All orpart of the processes can be implemented as, special purpose logiccircuitry, e.g., an FPGA (field programmable gate array) and/or an ASIC(application-specific integrated circuit).

Processors suitable for the execution of a computer program include, byway of example, both general and special purpose microprocessors, andany one or more processors of any kind of digital computer. Generally, aprocessor will receive instructions and data from a read-only storagearea or a random access storage area or both. Elements of a computer(including a server) include one or more processors for executinginstructions and one or more storage area devices for storinginstructions and data. Generally, a computer will also include, or beoperatively coupled to receive data from, or transfer data to, or both,one or more machine-readable storage media, such as mass storage devicesfor storing data, e.g., magnetic, magneto-optical disks, or opticaldisks.

Tangible, physical hardware storage devices that are suitable forembodying computer program instructions and data include all forms ofnon-volatile storage, including by way of example, semiconductor storagearea devices, e.g., EPROM, EEPROM, and flash storage area devices;magnetic disks, e.g., internal hard disks or removable disks;magneto-optical disks; and CD-ROM and DVD-ROM disks and volatilecomputer memory, e.g., RAM such as static and dynamic RAM, as well aserasable memory, e.g., flash memory. Tangible, physical hardware storagedevices and computer readable storage media are defined asnon-transitory media.

In addition, the logic flows depicted in the figures do not require theparticular order shown, or sequential order, to achieve desirableresults. In addition, other actions may be provided, or actions may beeliminated, from the described flows, and other components may be addedto, or removed from, the described systems. Likewise, actions depictedin the figures may be performed by different entities or consolidated.

Elements of different embodiments described herein may be combined toform other embodiments not specifically set forth above. Elements may beleft out of the processes, computer programs, Web pages, etc. describedherein without adversely affecting their operation. Furthermore, variousseparate elements may be combined into one or more individual elementsto perform the functions described herein.

Other implementations not specifically described herein are also withinthe scope of the following claims.

What is claimed is:
 1. A computer program product tangibly stored on acomputer readable hardware storage device, the computer program productfor detecting conditions at a physical premises, the computer programproduct comprising instructions to cause one or more circuits to:generate a risk profile for the premises, the risk profile comprisingrisk levels assigned to assets in accordance with a set of businessrules; collect sensor information from a plurality of sensor devicesdeployed at the premises, wherein the sensor devices monitor the assets;receive data feeds relevant to a location of the premises; execute oneor more learning models to continually analyze the sensor informationand the data feeds to update the risk levels based on the sensorinformation and the data feeds; produce an operational decision for oneor more of the assets based on updates to the risk levels; and providethe operational decision to personnel associated with the premises. 2.The computer program product of claim 1, wherein the instructionsfurther cause the one or more circuits to: receive the data feeds from aplurality of sources comprising at least a news source and a weathersource.
 3. The computer program product of claim 1, wherein theinstructions further cause the one or more circuits to: detect changesin the sensor information and the data feeds; evaluate the changes withrespect to the risk profile; and generate a list of most probableoperational decisions.
 4. The computer program product of claim 3,wherein the learning models are unsupervised, and the instructionsfurther cause the one or more circuits to: apply labels to the detectedchanges.
 5. The computer program product of claim 3, wherein thelearning models are supervised, and the instructions further cause theone or more circuits to: apply labels to the sensor information and thedata feeds.
 6. The computer program product of claim 1, wherein theinstructions further cause the one or more circuits to: generate aresponse message comprising instructions to control one or more of theassets; and send the response message to the one or more assets tocontrol operation of the one or more assets.
 7. The computer programproduct of claim 1, wherein the instructions further cause the one ormore circuits to: execute a process to monitor the sensor devices torecognize occurrences of real security breaches associated with thepremises.
 8. A system comprising: a plurality of sensor devicesinstalled at a physical premises; a gateway that couples the sensordevices to a network; a server computer comprising a processor and amemory, the server computer coupled to the network and in communicationwith the gateway; a storage device storing a computer program productfor detecting conditions at the premises, the computer program productcomprising instructions to cause one or more circuits of the servercomputer to: generate a risk profile for the premises, this risk profilecomprising risk levels assigned to assets in accordance with a set ofbusiness rules; collect sensor information from the sensor devicesinstalled at the premises, wherein the sensor devices monitor theassets; receive data feeds relevant to a location of the premises;execute one or more learning models to continually analyze the sensorinformation and the data feeds to update the risk levels based on thesensor information and the data feeds; produce an operational decisionfor one or more of the assets based on updates to the risk levels; andprovide the operational decision to personnel associated with thepremises.
 9. A system comprising: a plurality of sensor devicesinstalled at a first physical premises; a gateway that couples thesensor devices to a network; a server computer comprising a processorand a memory, the server computer coupled to the network and incommunication with the gateway; a storage device storing a computerprogram product for detecting conditions at the first premises, thecomputer program product comprising instructions to cause one or morecircuits of the server computer to: generate a risk profile for thefirst premises, the risk profile comprising risk levels assigned toassets in accordance with a set of business rules; collect sensorinformation from the sensor devices installed at the first premises,wherein the sensor devices monitor the assets; receive data feedsrelevant to a location of the premises; execute one or more learningmodels to continually analyze the sensor information and the data feedsto update the risk levels based on the sensor information and the datafeeds; produce an operational decision for one or more of the assets inaccordance with updates to the risk levels; identify a second physicalpremises that shares one or more characteristics with the firstpremises; and provide the operational decision to personnel associatedwith the first premises and personnel associated with the secondpremises.
 10. The computer program product of claim 1, wherein thepremises comprises a first premises, and the instructions further causethe one or more circuits to: identify a second physical premises thatshares one or more characteristics with the first premises; and providethe operational decision to personnel associated with the secondpremises.
 11. The computer program product of claim 10, wherein theinstructions further cause the one or more circuits to: identify a thirdphysical premises that shares one or more characteristics with the firstpremises and the second premises; and form a grouping comprising thefirst premises, the second premises, and the third premises; and providethe operational decision to personnel associated with the thirdpremises.
 12. The system of claim 8, wherein the premises comprises afirst premises, and the instructions further cause the one or morecircuits to: identify a second physical premises that shares one or morecharacteristics with the first premises; and provide the operationaldecision to personnel associated with the second premises.
 13. Thesystem of claim 12, wherein the instructions further cause the one ormore circuits to: identify a third physical premises that shares one ormore characteristics with the first premises and the second premises;and form a grouping comprising the first premises, the second premises,and the third premises; and provide the operational decision topersonnel associated with the third premises.
 14. The system of claim 8,wherein the instructions further cause the one or more circuits to:receive the data feeds from a plurality of sources comprising at least anews source and a weather source.
 15. The system of claim 8, wherein theinstructions further cause the one or more circuits to: detect changesin the sensor information and the data feeds; evaluate the changes withrespect to the risk profile; and generate a list of most probableoperational decisions.
 16. The system of claim 15, wherein the learningmodels are supervised, and the instructions further cause the one ormore circuits to: apply labels to the sensor information and the datafeeds.
 17. The system of claim 8, wherein the instructions further causethe one or more circuits to: generate a response message comprisinginstructions to control one or more of the assets; and send the responsemessage to the one or more assets to control operation of the one ormore assets.
 18. The system of claim 9, wherein the instructions furthercause the one or more circuits to: receive the data feeds from aplurality of sources comprising at least a news source and a weathersource.
 19. The system of claim 9, wherein the instructions furthercause the one or more circuits to: detect changes in the sensorinformation and the data feeds; evaluate the changes with respect to therisk profile; and generate a list of most probable operationaldecisions.
 20. The system of claim 9, wherein the instructions furthercause the one or more circuits to: generate a response messagecomprising instructions to control one or more of the assets; and sendthe response message to the one or more assets to control operation ofthe one or more assets.